Skip to main content
openpaper

Privacy Policy

Last updated: March 2, 2026

1. Data Controller

TUYO UG (haftungsbeschränkt)
Mansteinstr. 27
20253 Hamburg, Germany
Email: team@openpaper.dev

2. Lawful Basis for Processing

We process personal data under the following legal bases (GDPR Art. 6):

  • Consent (Art. 6(1)(a)): Analytics cookies (PostHog). You can withdraw consent at any time by clearing your browser storage.
  • Contract performance (Art. 6(1)(b)): Account creation, paper generation, payment processing.
  • Legitimate interest (Art. 6(1)(f)): Security, fraud prevention, service improvement.

3. Data We Collect

  • Account data: Email address, display name (via Google OAuth profile).
  • Generation data: Paper topics, settings (level, citation style, language), generation history.
  • Payment data: Processed by Stripe. We store your Stripe customer ID and subscription status. We never store credit card numbers directly.
  • Usage data: Pages visited, features used (via PostHog analytics, with consent).

4. Cookies and Local Storage

Cookie / KeyPurposeTypeDuration
sb-*Authentication session (Supabase)EssentialSession
ph_*Analytics (PostHog)Requires consent1 year
__stripe*Fraud prevention (Stripe hosted checkout)EssentialSession
cookie-consentStores your consent preferenceEssential (localStorage)Persistent

5. Third-Party Processors and Data Transfers

We use the following third-party services. Some involve data transfers outside the EU, protected by Standard Contractual Clauses (SCCs) or equivalent safeguards:

  • Google Gemini (US): Paper generation. Topics and settings are sent as prompts.
  • Stripe (US): Payment processing. EU SCCs apply.
  • Resend (US): Transactional email delivery.
  • PostHog (EU, eu.posthog.com): Analytics. Only with your consent.
  • Supabase (EU, eu-central-1): Authentication and database.
  • CrossRef / Semantic Scholar (US): Citation verification. No personal data is sent.

6. Data Retention

  • Account data: Retained until you delete your account.
  • Generations: Retained until you delete them.
  • Payment records: Retained for 10 years per German tax law (AO §147).

7. Your Rights (GDPR Art. 15-22)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (right to be forgotten) (Art. 17)
  • Data portability (Art. 20)
  • Restrict processing (Art. 18)
  • Object to processing (Art. 21)

To exercise any of these rights, contact us at team@openpaper.dev.

8. Right to Complain

You have the right to lodge a complaint with the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI): datenschutz-hamburg.de.

9. Changes to This Policy

We may update this policy from time to time. Changes are posted on this page with an updated date. Continued use of OpenPaper after changes constitutes acceptance.